我正在使用 AWS CDK。
我创建了客户管理的 CMK KMS 密钥以在 dynamoDB 表上启用服务器端加密。
KMS 密钥策略:
public static getKMSKeyPolicyDocument(): PolicyDocument {
return new PolicyDocument({
statements: [
//Allow root in IAM Policy: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
new PolicyStatement({
principals: [new AccountRootPrincipal()],
actions: ["kms:*"],
resources: ["*"],
}),
new PolicyStatement({
principals: [
new ServicePrincipal("dynamodb.amazonaws.com"),
new ServicePrincipal("lambda.amazonaws.com"),
],
actions: [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:Get*",
"kms:List*",
],
resources: ["*"],
}),
],
});
}
一些 Lambda 使用这些 dynamo db 表来获取数据。所以,我的问题是:
我们是否需要再次显式授予每个 lambda 访问 KMS 密钥的权限?
public static grantAccessToKMSKey(role: IRole, kmsKey: IKey): void {
role.addToPrincipalPolicy(
new PolicyStatement({
actions: [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*",
"kms:Get*",
"kms:List*",
],
resources: [kmsKey.keyArn],
})
);
}